3v4l.org

run code in 500+ PHP versions simultaneously
<?php $xml = <<<XML <!DOCTYPE root [ <!ENTITY attack SYSTEM "config/config.ini"> <!ENTITY ent SYSTEM "entities/ent.txt"> ]> <xml> &attack; &ent; </xml> XML; // emulate existing local file mkdir('/tmp/entities/'); file_put_contents('/tmp/entities/ent.txt', 'OK ENTITY'); libxml_set_external_entity_loader( function (?string $public, ?string $system, array $context) { $path = realpath('/tmp' . $system); if ($public === null && $path !== null && str_starts_with($path, '/tmp/entities/')) { $resolved = file_get_contents('/tmp' . $system); } else { $resolved = 'nice try but no'; } $f = fopen('php://temp', 'r+'); fwrite($f, $resolved); rewind($f); return $f; } ); $doc = new DOMDocument; $doc->loadXML($xml, LIBXML_NOENT); echo $doc->saveXML(); ?>
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/fpedv
function name:  (null)
number of ops:  23
compiled vars:  !0 = $xml, !1 = $doc
line      #* E I O op                               fetch          ext  return  operands
-----------------------------------------------------------------------------------------
    2     0  E >   ASSIGN                                                       !0, '%3C%21DOCTYPE+root+%5B%0A++++%3C%21ENTITY+attack+SYSTEM+%22config%2Fconfig.ini%22%3E%0A++++%3C%21ENTITY+ent+SYSTEM+%22entities%2Fent.txt%22%3E%0A%5D%3E%0A%3Cxml%3E%0A++++%26attack%3B%0A++++%26ent%3B%0A%3C%2Fxml%3E'
   14     1        INIT_FCALL                                                   'mkdir'
          2        SEND_VAL                                                     '%2Ftmp%2Fentities%2F'
          3        DO_ICALL                                                     
   15     4        INIT_FCALL                                                   'file_put_contents'
          5        SEND_VAL                                                     '%2Ftmp%2Fentities%2Fent.txt'
          6        SEND_VAL                                                     'OK+ENTITY'
          7        DO_ICALL                                                     
   17     8        INIT_FCALL                                                   'libxml_set_external_entity_loader'
   18     9        DECLARE_LAMBDA_FUNCTION                              ~5      [0]
   29    10        SEND_VAL                                                     ~5
   17    11        DO_ICALL                                                     
   32    12        NEW                                                  $7      'DOMDocument'
         13        DO_FCALL                                          0          
         14        ASSIGN                                                       !1, $7
   33    15        INIT_METHOD_CALL                                             !1, 'loadXML'
         16        SEND_VAR_EX                                                  !0
         17        SEND_VAL_EX                                                  2
         18        DO_FCALL                                          0          
   34    19        INIT_METHOD_CALL                                             !1, 'saveXML'
         20        DO_FCALL                                          0  $11     
         21        ECHO                                                         $11
   35    22      > RETURN                                                       1


Dynamic Functions:
Dynamic Function 0
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 46) Position 1 = 10, Position 2 = 12
Branch analysis from position: 10
2 jumps found. (Code = 46) Position 1 = 13, Position 2 = 15
Branch analysis from position: 13
2 jumps found. (Code = 43) Position 1 = 16, Position 2 = 22
Branch analysis from position: 16
1 jumps found. (Code = 42) Position 1 = 23
Branch analysis from position: 23
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 22
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 15
Branch analysis from position: 12
filename:       /in/fpedv
function name:  {closure:/in/fpedv:18}
number of ops:  37
compiled vars:  !0 = $public, !1 = $system, !2 = $context, !3 = $path, !4 = $resolved, !5 = $f
line      #* E I O op                               fetch          ext  return  operands
-----------------------------------------------------------------------------------------
   18     0  E >   RECV                                                 !0      
          1        RECV                                                 !1      
          2        RECV                                                 !2      
   19     3        INIT_FCALL                                                   'realpath'
          4        CONCAT                                               ~6      '%2Ftmp', !1
          5        SEND_VAL                                                     ~6
          6        DO_ICALL                                             $7      
          7        ASSIGN                                                       !3, $7
   20     8        TYPE_CHECK                                        2  ~9      !0
          9      > JMPZ_EX                                              ~9      ~9, ->12
         10    >   TYPE_CHECK                                      1020  ~10     !3
         11        BOOL                                                 ~9      ~10
         12    > > JMPZ_EX                                              ~9      ~9, ->15
         13    >   FRAMELESS_ICALL_2                str_starts_with      ~11     !3, '%2Ftmp%2Fentities%2F'
         14        BOOL                                                 ~9      ~11
         15    > > JMPZ                                                         ~9, ->22
   21    16    >   INIT_FCALL                                                   'file_get_contents'
         17        CONCAT                                               ~12     '%2Ftmp', !1
         18        SEND_VAL                                                     ~12
         19        DO_ICALL                                             $13     
         20        ASSIGN                                                       !4, $13
   20    21      > JMP                                                          ->23
   23    22    >   ASSIGN                                                       !4, 'nice+try+but+no'
   25    23    >   INIT_FCALL                                                   'fopen'
         24        SEND_VAL                                                     'php%3A%2F%2Ftemp'
         25        SEND_VAL                                                     'r%2B'
         26        DO_ICALL                                             $16     
         27        ASSIGN                                                       !5, $16
   26    28        INIT_FCALL                                                   'fwrite'
         29        SEND_VAR                                                     !5
         30        SEND_VAR                                                     !4
         31        DO_ICALL                                                     
   27    32        INIT_FCALL                                                   'rewind'
         33        SEND_VAR                                                     !5
         34        DO_ICALL                                                     
   28    35      > RETURN                                                       !5
   29    36*     > RETURN                                                       null

End of Dynamic Function 0

Generated using Vulcan Logic Dumper, using php 8.5.0

preferences:
159.82 ms | 1624 KiB | 21 Q